However, all I could do in text console is take a picture with my mobile camera...

I trust there just was perfectly enough reason for Grsec/Pax to halt the kernel.

I don't want to bother Spender and Pax, and it would be great if someone of youclever people who use these great program, such as M$ used it in Skype (oh, butthey tried to covertly used it, ooh what a pity they were brought to light by afine hacker)...

I really would be so happy if there were a little more gratitude among you bigguys and big firms who use this(I am a user of very modest means who can't even afford to eatwell, that's how I modest),and give us, the users of Grsec/Pax, here, upon this example that I can provide,some insight into the attack that happened.By gratitude I mean gratitude to Spender and Pax Team.The system I have not booted into, and I am taking disk dump images (with dd)of all the system partitions, having booted into latest sysresccd instead, but I'll be around, as soon as I get a little sleep, to follow possibleadvice on what to and where to possible search something in the non-systempartitions.

I suspect it is an attack because only with two of my systems which I went onlinethese days and weeks I have had strange issues.And I can prove those issues with both wireshark pcapng captures and, so regularusers like me would understand I also keep screencasting with ffmpeg, courtesy ofChristian Marillat, certainly not Stefano Zachiroli...

Pls. don't try to blame any of what I write to anyone else but me.

Pls. any of you high level users, or pros, give us an insight into what happened here.Tell me what I need to provide you, like I know it's /var/log/messages and/var/log/kern.log to look into... but possible so much more...

Because I believe it would be great for normal users like me, to have an insightinto the great defence for their systems, and for the developers of Grsec/Pax that just meansabsolutely ligitimate work and absolutely ligitimate goals of protecting systems,but for me, if I translate it, it means my data is sooo much safer than if couldnever ever be with any other crap like SELinux or any other protection for systemsthat I don't think stand any chances in comparison with Grsec/Pax. Not everybody can be neither Leonardo nor Michelangelo.

The system that panicked, and was halted by grsec is my Gentoo install. And it wasmuch less online than one of my Debian sytems. Just enough to:

,and the downloaded packages I then use for my other Gentoo systems that work just aboutfaultlessly.However, I have noticed (on Wireshark) very frequent communication btwn the sometimes online Gentoo boxand the more online Debian box.The communication on non-internet connected local network, but when online with one of the systems.The Debian box is the defence, the data not really there to ruin...After having had loss of data for being exposed online, I am offline mostly with Gentoos,the bigger boxes.

Soo, here's the screenshot of the halted system (I hope I can upload it somewhere)it's:

I need some rest now. I'm also not a healthy person, so if I take longer, pls havea look at my posts, I always come back (no red-shaded posts to blame on me).

Miroslav Rovis

I hope I have somehow made it to make this picture of the monitor of panicked Gentooavailable near this post... (I wrote this in advance while offline).

No, I don't see such possibility on forums.grsecurity.net.So I have to either later come back once I bave posted it somewhere, or wait if I geta permit by administrator to post it somehow here.But I have also prepared a downsized version of it:

there are many file sharing sites where you can upload your screenshot or just email it to us. in the worst case, just transcribe it into text, seemingly you're such a prolific writer that it should take you even less time than your original report.

In case either if the picture can and if it cannot be uploaded, this will be useful. In case itis by the time a later reader read this, he could have found the text only if somesearch engine didn't hide from users (as Google often hides) that those words wereto be found here in this text above.

This is that last text displayed on my monitor when the kernel froze.

This above, manual copying work, is just my pledge to show the readers how seriousmy desire to contribute in the just and honest side of computing (Grsec/Pax is thecleanest and the make-or-break point in free computing of today, yes it is![*]),which for me means possibly free from systematic/regimatic surveillance and abuse.I actually believe that there probably is all this information somewhere to befound on my system, as long as I keep it mounted readonly, which I intend todo...However, not for more than a day or two or so. I need that worker system of mine.And for me to be able to do more, I'd need to be told where I could possiblyget to maybe read a tutorial on the internet on this or any other info.

Anybody to help with advice?If only one small fraction of people whose computers have been protected by Grsec/Paxshowed up with advice/tutorials for their GNU/Linux distro/tips&tricks here,these forums would teem with great stuff, and even newbies would find theirways!

And Grsec/Pax developers would be free for their work! Wake up people, don't be selfish.Let's not allow these people who we all need for Grsec/Pax in our boxes, to overwork and burn.

Along with this Gentoo system that crashed, I certainly cannot stay online formuch more with my compromised Debian box either, which I just cannot trust afterlong downloads online such as the Debian weekly builds.

I have my poor user's defences, and I'll probably be able to revert the stateof this or another of my Debian boxes to a hopefully clean state, and I'llalso try and update Debian to the current state of the testing branch, and thelatest grsec/pax patched kernel.

I will need some time for all that, and I'm a late adopter, am now 56, so let'ssee how this story goes.Bear with me.

I sure had to write all this offline...

Miroslav Rovis

==============================================================================[*] Grsecurity/Pax is thecleanest and the make-or-break point in free computing of today. Yes it is!Surely leave out M$ and Apple, they have backdoors and do you in, anytime inany matter, with your Internet/local/any work on your computer.GNU/Linux is the OS having the sound, unbreakable backbone of the GNU License,which is more than just techie open source Google style or worse yet licenses.So it's both free and open and cannot get, well it should not get, well if it gets, theworld has lost free computing...So it's open and ... cannot get into some Larry Oracle hands like Java and MySQLand others...But Linus sold out to NSA. Yes he did.It seems he decided he has to remain the number one in the world, even though there's theseguys here, who wrote Grsecuriy/Pax, who beat him.The only thing that makes your GNU/Linuces viable for your privacy which most everycountry vows to uphold in their Constitutions, but most no country in theworld really upholds in practice...Most every country has some Forth Amendment kind of clause telling the worldhow their citizens' privacy is sacrosaint...

But Linus sold out to NSA. Yes he did. And what was a program that NSA wantedto sell as somebody else's, some now rather forgotten people's from RedHatLinux probably some decade or more years ago... NSA seem to soon had to admitthat that program wasn't made by those Red Hat developers... I read thecorrespondence, and I cannot find that correspondence now, if somebody knows, giveus the link... it's on, I think http://www.lwn.netbtwn Spender, Pax and those little important developers, and even I could figure out theydidn't understand their "own" program...Anyways, the GNU/Linux developers' world not being made of dupes and dummies as some NSAchief must have expected, NSA eventually came out and owned up to this program thatis such great friend of Linus Torvalds, which is:SELinux (Security Enhances Linux)SELinux, according to these guys, more precisely Spender I know saw that itwas so (read my other posts, I did give a link somewhere), according to these guys Spenderand Pax Team, who I completely support not for any sycophantic reasons, but because they are my,a poor user, a late adopter of very incomplete competence in the matter, because they are myonly chance to use my computers freely...SELinux, according to these guys, was back then full of purpose built hooksfor root-kit kind of intervention. Well, what would you expect from a program made by NSA?That it would be made for your freedom and not for their spying on you under the guiseof a secure system...?

Support is lacking here, for Grsec/Pax, and I mean honest big business (is there any? howmuch honesty is there left with, say, Google after it sold out for spying?; and Larry andSerge did start honestly!)... or at least some medium size businesses... Theremust be some left... Or numerous small businesses if there were... Andworldwide, not only U.S. of A. Businesses should, and thanks to those that do,which you see their logos associate with Grsecurity/Pax! Businesses shouldrecognize that they all need Grsec/Pax in GNU/Linuces!

But I can assure you, not for knowing it, noo! I'm not an insider, but I lookwith eyes without dirt of lies and disguise, by the grace of God, or if you don't feelyou can believe, then, by the virtues of honesty and diligence and sincere insight on thingsavailabe for seeing for all of us...

But I can assure you, taxpayers' money, and not only U.S. of A., but at least someEuropean countries too, in some shady ways, is flowing toward... towardbreaking the freedom of GNU/Linux, via SELinux or other stuff... for the sakeof surveillance.

SELinux may have even metamorphosizes in some ways...The rootkit ready hooks may even have been near perfectly hidden by now...Hooks so NSA and other big subjects of the kind might get their hold onGNU/Linux boxes when they need do so...

That's where Linus Torvalds sold us!

The only thing that makes your GNU/Linuces viable for you to use them to be freeand do things on Internet freely, and freely live your lives which often requires freecomputing, such as free unsurveilled communication worldwide...The only thing that makes your GNU/Linuces viable for so much is Grsec/Pax!Go ask bigger boys then me about it.If they don't lie, they will confirm my words.

This truth above needs to be spread!Newbies need to know this!Again, newbies need to know this!There is some free speech left in the leader, arrogant and abusive leader thatthe U.S. of A. has become, but still the leader country, although not for long more... In the leader country and lots of other contry that pretty much follow it.aNot for long more... You are breaking on the inside, dear U.S. Americans, what about youVeterans who you take to wars for no reason, and discard like rags when they break,what about you homeless, your crap GMO food, you filthy banksters' elite of dirt... But there is still some free speech.If you keep quiet about these truths, dear reader, they'll manage to take awayfrom us the last bastion of defence of free computing, and that is GNU/Linux...==============================================================================

So the NSA or somesuch subject didn't succeed on my box, Grsec/Pax defended mycomputer...That's the suspicion of mine. I can't prove that, but sure I can't let youforget that the wholesale spying on all talk, all mail, all communicationwhatsoever, in shameless denial of privacy is on most of the wholeworld, very big-brotherly Orwellian, which makes my suspicio so very possible!Don't forget Edward Snowden and his revelations ever!Sure it could be some rogue individual hacker, but they don't break wherethere's no money (and there isn't any here), unless they are paid money tobreak... Soo...Now back to what I wrote much further above.I need advice what to look up in the box that crashed and that I'll keepmounted readonly (the partition which I cannot disk dump backup)for a day or two or three, I don't know how long I am going to wait...I did dd'ed all the system partions. I'll only wait if any of the readers gets me somewhere, maybe address of some tutorial, where I could possiblylook up for things related to this probable attack, on the data partiton.Because the data partition is some 600GB, and I need it for my work, so this isurgent advice or it'll be late...Surely I will run clamav on it, but not much more do I know what to do...On the other hand, I'll be able to loop-mount the dd'd system partitions evenprobably a month or two or more from now, because I'll keep them longer forsome late advice maybe.And in such way, if you are a late reader of this line and could help, Iprobaly still have the snapshots of the the exact state of my system partitionat the time of the crash.

Looking short term, I'll now do usual Debian updates and check and report Grsec/Paxinstall on it. And it'll take longish too...

Miroslav Rovis (again I sign this, I'm broken with tiredness, if things areunfinished, I may or may not try to edit, and note those edits with capitalEDIT letters if I do, but the work I have on my hands, and it's not all computingrelated, is bigger than the time I have available)

Last edited by timbgo on Wed Oct 30, 2013 2:39 pm, edited 2 times in total.

You've actually found a real bug (potential vulnerability) in the upstream Linux kernel. This was detected thanks to a recent addition to grsecurity contributed by Mathias Krause: slab object sanitization. As mentioned in its config help, it's also useful for detecting use-after-free vulnerabilities, as it's done here. It uses the fill pattern of 0xfe on amd64, because on following a sanitized pointer of this pattern, 0xfefefefefefefefe will be dereferenced, causing a GPF due to it being a non-canonical address (uppermost bits must be either 0xffff or 0x0000). I'm 99% sure this is exactly what happened here, as you can see by the oops type and contents of rax and rcx registers, but we can confirm it easily if you give us the "Code: <hex digits here>" line appearing at the end of the oops message, or by providing the corresponding vmlinux.

Is this issue reproducible for you at all? We'll likely need to report this one upstream to have it fixed, as it'll be much more easily fixed by someone with intimate knowledge of NFS. Having some clear, small, reproducible testcase would help that person fix the problem.

Thank you!Glad that I'm useful.Already at the time of my previous post I sent the image to you, Spender.But, judging by you reply, you seem not to have got it.And just now, I also sent it, to you again, but also to pageexec at freemail dot huBut I have screencasts to prove it, and also wireshark captures.

I will now urgently postpone what I thought I would first do, and try to more fully respond to what you said I needed to do. Which means I first have to properly understand what you told me, which is not so trivial to me...Wait, I understood this one. I need to send you the vmlinuz that crashed.I'll do it next. If I don't pronto report otherwise here it has been sent.Miroslav Rovis

To your address and to Pax's address I now sent the vmliuz too.I can't figure if you received the image or not.And did you now received a gpg-signed vmlinuz in question?So I don't need to wake on this to be in the clear?Miroslav Rovis

But, like I said I'll be back once I have understook what more I need to do which is not trivial for me.

I'm 99% sure this is exactly what happened here, as you can see by the oops type and contents of rax and rcx registers,

I wish I could see but it's mumbo, mostly, for me. Never mind!You probably mean what is after the hardware and module listing, and those RIP, RSP, RAX, RBP all the way to DR0 and DR3 lines...And after the Stack: (three lines)And after the Call Trace: (exactly ten lines)This code:

But you need to check it against the screenshot (by mobile camera) taken of my monitor, which I'll probably find out if you receive once I'm back online, for correctness...If that is what you are talking?Namely I guess the whole screen is what you refer to as the Oops message (because I didn't locate and "oops" word on it, but that is what it probably is...And now for the newbies.Esp. those reading this much later on. I'll finish the manual copying of the whole screen. Just I need time more...

Miroslav Rovis

Last edited by timbgo on Wed Oct 30, 2013 2:40 pm, edited 2 times in total.

spender wrote:Is this issue reproducible for you at all? We'll likely need to report this one upstream to have it fixed, as it'll be much more easily fixed by someone with intimate knowledge of NFS. Having some clear, small, reproducible testcase would help that person fix the problem.-Brad

I'll be glad to be even more useful, but how do I reproduce it?I have the same kernel, well, just compiled locally, on three more Gentoo systems.How could I reproduce it.Only this one that some attacker, probably, from the live internet connection from the Debian system, interfered with, only this Gentoo sytem, that itself was online (for eix update, and layman whatever... downloading the packages from Gentoo repositories) of all my Gentoo system, crashed...

[[ Only this one Gentoo system that some attacker, probably, from the live internet connection from the Debian system, interfered with, through local non-internet-connected network that all the systems are on... ]]

Anyways, for the newbies newbier than me, I'll finish off the text-reconstruction of the Oops frozen page, all in its own post, complete, next.

Just let me go back to Debian: no guides, and huge population of users! So half-computer literate me being, in comparison to these giants that condescended to converse with me above, I have not configured it in my Debian Grsecurity/Pax enabled kernel.Here:

(that's empty string returned)Too much work to figure all so quickly! Will be back to report if I fixed my Debian, as this simply is a matter of survival for me. I'm like a sparrow, could not live in any "Not Such Agancies" cages. (as they recently explained on Russia Today, where great American homeland and offshore dissidents often are interviewed, "No Such Agancy" was the nickname for NSA since 1952 when U.S. of A.'s president and world war criminal Harry Truman established it).

All the time, the Gentoo box in which the above suspicious kernel crash occurred, and where, my thanks here also go to Grsecurity/Pax Gentoo GNU/Linux implementers, the non-SELinux hardened team (because, sadly, Gentoo is not SELinux free as offer to the uninformed, and newbies easily end up with those NSA's hooks for the spies, in the kernel)... all the time the Gentoo box in question was off-line, safely, more precisely would-be safely away from the internet and its lurks and all kinds of its malicious subjects, some big, even very big like the "No Such Agancy", some whatever size, down to minuscule...

That Gentoo box was off and away from the internet, but was, as I previously said, the only one that was online for download of the new packages from Gentoo repositoritories, some week ago now, and back from then, a month, and some two months ago, for same kind of download. I haven't reverted it into clean state yet (in my what I call poor user's defence, clean state is reverting it from previous system backup and installing the new packages not via online, but from existing local downloads of those) in probably a few weeks, so there's where some intrusion may have gained a foothold.

Now, the exact processes that to me as user seem to bear connection to the suspicious crash, were moving this file:debian-testing-amd64-DVD-11.isothat I downloaded through due procedure using the jigdo files from:http://cdimage.debian.org/cdimage/weekly-builds/amd64/jigdo-dvd/Upon checking the sums, I noticed that, while the other DVD-XX.iso files, all the first 10, were of correct checksum, this one wasn't.Wait, not in the Debian box where I downloaded it. The jigdo program didn't complain, No, said "The checksum is good!". But on the Gentoo box where I moved it.Because in my poor user's defence against various no-such-agencies or other lurks and malicious subjects, I use cloning systems and installing almost only offline. This one dirty? I'll use the next clone that I created off line earlier... How cloning is done, look up my posts on Gentoo. There I am user MiroR, Gentoo I haven't noticed that they delete users' posts. And for the cloning sure you need network and more machines... Old is fine, for internet access (if it's not very old)!Seeing the DVD-11.iso was not of correct checksum, and I still have that somehow compromised one, and I'll keep it for months from now, here's that wrong checksum:No, I'm giving you no checksum. I'm jumping into my mouth instead. Because the checksum is exactly as it should be.I still have System Rescue CD started from usb stick on that system, and checked and all the sums are correct. They are in the data partition mounted readonly, sure. Still waiting for possible advice to be able to restart using that system.The system was compromised and it did show wrong checksum, but that was something wrong with the system, not with the DVD-11 of the Debian weekly testing branch! Curious!I can confirm that before God and the Heaven, because I have the old SHA256SUM.my where I calculate sums in when I check them!This is the first time in my life that I see the program sha256sum return erroneously wrong value while the value is correct in reality, for some suspicious, probably malicious, activity on my system! Curious!

I would like to know what happened in my kernel that I sent to Spender and Pax Team via email.I would only like, I don't hold the big guys and the giants of bound to tell us here, I'm proud anyway to have been able to help!

So any of you big guys, if you remember, tell us more, in as possibly user-understandable talk as you can!

Or my peer common users, if you find anywhere talk about this file:

vmlinuz-3.10.5-hardened-r1-130817_04

and related to this bug, give us the link here, because that is the kernel in question I sent to Brad and Pax Team.

Thank you!

I'll also make a note about this on Gentoo GNU/Linux forums, where I am user MiroR. Let as much as possible of the GNU/Linux population of users know what protection Grsecurity/Pax provides to common users like me, along with M$ Skype (pls. find link somewhere in some of my previous posts if you don't yet know about the would-be-covert use of Grsec/Pax by Microsoft) and all the others!

And now, as I promised many lines ago above, I need to type out the rest of the Oops page next. Ouch!

Some of the problems that I need to solve include whether Debian can do the work that I need it to do at all.There is nearly always "no PIE", no Position Independent Exetutable support in the Debian toolchain.Pls. it is about this, which I also need to solve for the other OS to be used for my SOHO, on the slower machines, where the Gsntoo long-time compilations would prolong the installation to unacceptable, I'm afraid, it is about this:https://forums.grsecurity.net/viewtopic.php?f=3&t=2131

I am thinking of a Debian based system, the gNewSense distro, and let's have a look if Richard Stallman's team's practice is as good as his own, the GNU and FSF founder's views, which I very much wish to be the case, I really do.

Because Debian is currently having serious issues with the testing branch (also the available 2013-08-19 builds don't work for me, and that's an understatement):http://cdimage.debian.org/cdimage/weekly-builds/amd64/Lots of "...build failed with error 1 at 2013-08-26..." there.I'm really not relishing, really I wish Debian would shine in the future, but could it also be that so it happens when you stray from the right path?